[nycphp-talk] session validation between http requests
Konstantin Rozinov
krozinov at gmail.com
Sat Aug 1 03:35:06 EDT 2009
Hey guys,
Anyone doing session validation between HTTP requests? I know that
the HTTP headers can all be changed and spoofed, but for legitimate
users, I expect the HTTP headers I'm using below to NOT change between
requests, during the same session.
I've been looking into this lately, but ran across sites (like
http://shiflett.org/articles/the-truth-about-sessions) that say that
HTTP_ACCEPT_CHARSET can legitimately change between requests during a
session. I've never run into this in testing, so I was wondering if
somebody could confirm that statement?
What about the other HTTP headers I'm using below. Can those
legitimately and realistically change as well during a session?
Any ideas, comments, or suggestions would be greatly welcomed!
Thanks,
Konstantin
$client_id = '';
if (isset($_SERVER['HTTP_ACCEPT_CHARSET']) === true)
{
$client_id .= $_SERVER['HTTP_ACCEPT_CHARSET'];
}
if (isset($_SERVER['HTTP_ACCEPT_ENCODING']) === true)
{
$client_id .= $_SERVER['HTTP_ACCEPT_ENCODING'];
}
if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) === true)
{
$client_id .= $_SERVER['HTTP_ACCEPT_LANGUAGE'];
}
if (isset($_SERVER['HTTP_USER_AGENT']) === true)
{
$client_id .= $_SERVER['HTTP_USER_AGENT'];
}
if ($_SESSION['client_id_hash'] !== md5($client_id))
{
header('Location: /logout');
exit();
}
More information about the talk
mailing list